what i cant understand is the use of tcp_dissect_pdus(); my question is, what length exactly shoild i return in the "get_len" function . Do i need to return the expecte length of the PDU ? and if so , what is the definition of the PDU (application layer data + header , or only data )
thanks 2009/2/23 Guy Harris <[email protected]> > > On Feb 22, 2009, at 12:19 PM, יוני תובל wrote: > > > i mean , should i expect that my dissection logic receive an > > asembled buffer from the tcp_dissect_pdus? > > For protocols running over TCP and using tcp_dissect_pdus(), you need, > in effect, two dissectors: > > 1) the dissector called from the TCP dissector, which receives raw > TCP segments, and calls tcp_dissect_pdus(); > > 2) the dissector called from tcp_dissect_pdus(), which receives > reassembled messages. > > See, for example, the DNS dissector, in packet-dns.c; the first > dissector is > > static void > dissect_dns_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) > { > tcp_dissect_pdus(tvb, pinfo, tree, dns_desegment, 2, > get_dns_pdu_len, > dissect_dns_tcp_pdu); > } > > and the second dissector is > > static void > dissect_dns_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree > *tree) > { > if (check_col(pinfo->cinfo, COL_PROTOCOL)) > col_set_str(pinfo->cinfo, COL_PROTOCOL, "DNS"); > > dissect_dns_common(tvb, pinfo, tree, TRUE, FALSE, FALSE); > } > > where "dissect_dns_common()" dissects a DNS message. The DNS-over-UDP > dissector does > > static void > dissect_dns_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) > { > if (check_col(pinfo->cinfo, COL_PROTOCOL)) > col_set_str(pinfo->cinfo, COL_PROTOCOL, "DNS"); > > dissect_dns_common(tvb, pinfo, tree, FALSE, FALSE, FALSE); > } > > The first of the 3 Boolean arguments to dissect_dns_common() specifies > whether this is DNS-over-UDP or DNS-over-TCP; for DNS-over-TCP, it > assumes the message starts with a DNS-over-TCP header (with the > message length), and dissects that as well. > > If your protocol runs *only* over TCP, your second dissector could do > all the dissection work, rather than calling a common routine. > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
